VBS/Sausage-A is a VBScript worm for the Windows platform that attempts to spread via email to all members of the users outlook address book by attaching itself to messages constructed in the following format:
Subject: Elloha ota ouya
Message text: Earda Serua! Ouya reaa heta tupidistsa ersonpa ia aveha verea
etma!
Attachment name: ummama.vbs
VBS/Sausage-A will try to copy itself to the file c:\documents and settings\all users\XXX FREE PORN.vbs and will set the following two registry entries:
HKLM\Software\Virus for hackers = Sausage rolls taste crap!!!
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
XXX = C:\windows\system32\exysa ummama.vbs
Upon execution VBS/Sausage-A displays the following messages in order:
'Microsoft Server show that your copy of Windows XP Home Edition is vulnerable to the new virus: VBS.Rundll32.worm - please click yes when the file downloader appears to download the patch for your offical protection'
'Virus: VBS.Rundll32-A.Worm has been detected in C:\Windows\System32\Anoy.vbe - Sophos cannot delete the file'
'Virus: VBS.Rundll32-A.Worm has not been deleted! It is reccomended you delete the file attempt delete?'
'Your system is very low on Virtual Memory - do you want to correct this?'
The last two message boxes will have yes/no boxes for the user to select. These options are in fact redundant and VBS/Sausage-A will perform the same actions regardless of the users selection.
VBS/Sausage-A will then attempt to open a number of application to irritate the user. These programs include solitaire and Microsoft Word, VBS/Sausage-A will also try to connect to the internet and display the image located at the URL http://www.bootyboutique.com/sexy%20carla.png.
VBS/Sausage-A will then try to download the file specified in the URL http://www.computerpranks.com/download/prank/cd.exe before terminating the processes smss.exe, winlogon.exe and sweepsrv.sys and attempting to format the drives D:, E: and F:.